Back to GimelSec's contests

PoolTogether Aave v3 contest - GimelSec's results

A protocol for no loss prize savings on Ethereum.

General Information

Platform: Code4rena

Start Date: 29/04/2022

Pot Size: $22,000 USDC

Total HM: 6

Participants: 40

Period: 3 days

Judge: Justin Goro

Total Solo HM: 2

Id: 114

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 4/40

Findings: 3

Award: $1,778.23

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: IllIllI

Also found by: GimelSec

Labels

bug
duplicate
2 (Med Risk)
sponsor acknowledged

Awards

1413.6415 USDC - $1,413.64

External Links

Link to GitHub issue

Lines of code

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275

Vulnerability details

Impact

Although claimRewards() is supposed to be called by the owner or managers to claim the rewards, it still could be a "rug risk". The owner or managers can take all the rewards unconditionally.

Proof of Concept

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L275

  function claimRewards(address _to) external onlyManagerOrOwner returns (bool) {
    require(_to != address(0), "AaveV3YS/payee-not-zero-address");

    address[] memory _assets = new address[](1);
    _assets[0] = address(aToken);

    (address[] memory _rewardsList, uint256[] memory _claimedAmounts) = rewardsController
      .claimAllRewards(_assets, _to);

    emit Claimed(msg.sender, _to, _rewardsList, _claimedAmounts);
    return true;
  }

Tools Used

vim

Try to add some limitations or a timelock on claimRewards().

#0 - PierrickGT

2022-05-03T22:30:53Z

Governance will own this contract with a multisig that will need 7 signatures out of 11 members before a transaction can be sent, so it limits the possibilities of a rug pull. These rewards are not tokens deposited by the users, so it's also less of a concern.

#1 - gititGoro

2022-05-18T03:21:39Z

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/89

Findings Information

🌟 Selected for report: MaratCerby

Also found by: 0x52, 0xDjango, 0xf15ers, Dravee, GimelSec, IllIllI, Picodes, delfin454000, gzeon, hake, kebabsec, pauliax, reassor, z3s

Labels

bug
QA (Quality Assurance)

Awards

333.6137 USDC - $333.61

External Links

Link to GitHub issue

Summary

We list 1 low-critical finding and 1 non-critical finding:

  • (Low) _requireNotAToken should check the token address != address(0)
  • (Non) Duplicate code of address check

(Low) _requireNotAToken should check the token address != address(0)

Impact

The decreaseERC20Allowance, increaseERC20Allowance and transferERC20 functions should check the token address != address(0).

Proof of Concept

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L296 https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L315 https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L332

Tools Used

vim

Check address(_token) != address(0).

(Non) Duplicate code of address check

Impact

In transferERC20, it checks that the _token address should not be aToken, which is implemented in _requireNotAToken.

Proof of Concept

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L337

Tools Used

vim

Use _requireNotAToken in the transferERC20 function.

#0 - PierrickGT

2022-05-03T22:35:44Z

(Low) _requireNotAToken should check the token address != address(0)

These functions are only callable by the owner or manager, so it's ok if we don't check for address zero.

(Non) Duplicate code of address check

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/4

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xf15ers, 0xkatana, 242, Dravee, GimelSec, MaratCerby, Tadashi, TrungOre, WatchPug, defsec, fatherOfBlocks, gzeon, hake, horsefacts, joestakey, miguelmtzinf, pauliax, pedroais, peritoflores, rotcivegaf, simon135, slywaters, tabish, throttle, z3s

Awards

30.9833 USDC - $30.98

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

internal functions which are only used once can be inlined

The internal functions which are only used once can be inlined to save gas.

Proof of Concept

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L369 https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L388

Recommendation

Remove internal functions and add these code inlined.

#0 - PierrickGT

2022-05-03T22:36:48Z

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/17

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter